Can Haz RFID? Noes? I HAZ FN FAL!

Via comp.risks, across the wire the electric message came: German students crack encryption on over 2bn RFID smartcards made by NXP Semiconductor. The cards in question are NXP’s MiFare Classic type, and are used for public transport….but also for access control in sensitive government installations, it turns out. Inevitably, NXP threw up its hands – who could have imagined anyone would use our product against the label?

What is especially interesting is that an unnamed European country has placed troops at facilities that were supposedly secured by MiFare RFID locks; it’s a real HALTING STATE moment. Time to break out the sealed bags of PAYG mobiles and bottled water, start the alerting tree, and move to your crashout location. (I know civil servants who actually did draw new mobiles, on BT Cellnet as was, for the millenium weekend.)

Of course, as the pesky student points out, it’s an inherent weakness of RFID that it’s, well, radio frequency identification; everything is public, so if the crypto doesn’t work, the whole system becomes a menace.

Update: The mighty Bruce Schneier has much more. The cards are the ones used in the Tube.


  1. Dutch students did the same, earlier this week, with the chips used in both the new Dutch oyster card equivalent, as well as the access cards used in many governmental buildings…




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s



%d bloggers like this: